1
00:00:00,750 --> 00:00:02,440
Greetings on Professor Kay.

2
00:00:02,730 --> 00:00:08,580
And in a short video presentation, we're going to be conducting a walkthrough for the Capture the Flag

3
00:00:08,580 --> 00:00:11,730
Exercise EVM version one.

4
00:00:12,770 --> 00:00:20,250
Even version one was created by code and is intended to be an easy beginner, boot to root challenge.

5
00:00:20,720 --> 00:00:23,480
This lab works best when used with virtual box.

6
00:00:23,900 --> 00:00:30,620
The CTF is designed to introduce those new to CTF exercises, some of the basics of pen testing.

7
00:00:31,770 --> 00:00:38,280
For this lab requirement, you will need one install a virtual box, one virtual install of Linux and

8
00:00:38,280 --> 00:00:40,800
one virtual install of the target olva file.

9
00:00:42,070 --> 00:00:48,250
Once you have your virtual machines up and running inside a virtual box, do ensure that you have the

10
00:00:48,250 --> 00:00:52,200
networking for both machines configured for host only adapter.

11
00:00:52,780 --> 00:00:57,490
You're going to go up to devices, you're going to go to network, you're going to click on network

12
00:00:57,490 --> 00:01:03,610
settings, and you're going to select from the attached to host only adapter.

13
00:01:04,990 --> 00:01:07,680
You'll want to do that on both of your virtual machines.

14
00:01:09,130 --> 00:01:15,010
We can assume that we have already recovered and identified our target, which is the site itself that

15
00:01:15,010 --> 00:01:23,140
takes care of step one of the hackers methodology, reconnaissance, our next step and the hackers methodology

16
00:01:23,140 --> 00:01:24,490
would be network scanning.

17
00:01:25,520 --> 00:01:30,970
And now that we have the target network identified, we need to find the IP address of our target machine

18
00:01:31,430 --> 00:01:36,510
and for that we need to identify our network IP now to begin this process.

19
00:01:36,530 --> 00:01:38,900
I'm just going to open up a terminal on my calling machine.

20
00:01:40,700 --> 00:01:46,220
And I've zoomed in to the terminal prop itself, so you can better see exactly what it is I'm doing

21
00:01:46,220 --> 00:01:53,390
at the terminal now to identify my network IP, I have to find the first three octets of my IP address

22
00:01:53,570 --> 00:01:54,220
to do this.

23
00:01:54,230 --> 00:01:56,630
I'm just going to type in I-F config.

24
00:01:58,260 --> 00:02:02,460
And you'll notice that Ethan, as you know, is the network adaptor that we're going to focus with,

25
00:02:03,150 --> 00:02:09,330
so that IP address that is assigned to it is one nine two one six eight, not 56, not one, two, three.

26
00:02:09,870 --> 00:02:13,290
The first three octets of this IP address are the network IP.

27
00:02:14,100 --> 00:02:17,010
That last octet gives us our host IP.

28
00:02:18,340 --> 00:02:20,890
I'm now going to go ahead and clear the terminal.

29
00:02:22,380 --> 00:02:28,030
Now, if you didn't have any idea of what the network IP for the network was, you could just run net

30
00:02:28,050 --> 00:02:34,560
discover without any of the switches or the IP address or the subnet mask, but that's going to take

31
00:02:34,560 --> 00:02:35,350
a long time.

32
00:02:36,240 --> 00:02:41,160
So I've typed in net discover space Stasha, which stands for the range.

33
00:02:42,020 --> 00:02:48,710
And I'm typed in one nine two one six eight five six, which is the network portion of the IP address,

34
00:02:49,280 --> 00:02:56,390
that zero and I've given it a twenty four, which means that you're going to ignore the first three

35
00:02:56,390 --> 00:03:03,900
octets of this IP address and just focus on the fourth octet, which is the host IP.

36
00:03:04,700 --> 00:03:06,040
This is all I want from you.

37
00:03:06,050 --> 00:03:13,370
That's approximately two hundred and fifty five IP addresses that can be used as opposed to scanning

38
00:03:13,370 --> 00:03:17,090
hundreds and thousands of IP addresses to get the same result.

39
00:03:17,660 --> 00:03:18,950
So I'm going to go ahead and hit enter.

40
00:03:20,040 --> 00:03:26,220
And net discovery is now sending out our request to anybody on the network that will listen.

41
00:03:27,310 --> 00:03:32,860
And after just a moment, you'll notice that the results come back and it gives you a couple of different

42
00:03:32,860 --> 00:03:33,800
IP addresses.

43
00:03:34,120 --> 00:03:40,780
Now, the IP address that we're interested in is the one nine two one six eight five six one zero three

44
00:03:40,780 --> 00:03:41,890
IP address.

45
00:03:42,580 --> 00:03:44,830
That's going to be the IP address of our target.

46
00:03:45,600 --> 00:03:51,540
Now, any IP addresses that I'm showing you, such as the one from my calling machine or for the target

47
00:03:52,290 --> 00:03:57,150
apply to me, those are my IP addresses and your IP addresses may differ.

48
00:03:58,480 --> 00:04:01,120
To break out of the scan, I'm just going to take control, see?

49
00:04:02,140 --> 00:04:04,900
That brings me back to the I'm a go ahead and type in clear.

50
00:04:06,050 --> 00:04:11,600
And now we're going to conduct an MRI scan and we're going to continue on with the scanning portion

51
00:04:11,930 --> 00:04:14,090
of our hacker's methodology.

52
00:04:15,120 --> 00:04:20,190
We're not ready to run that and map scan to look for any parts or services that may be available to

53
00:04:20,190 --> 00:04:22,960
us for exploitation on our target machine.

54
00:04:23,850 --> 00:04:33,240
Now, for this particular scan, I've typed in Dash SC, which is the Inmet switch for launching a number

55
00:04:33,240 --> 00:04:34,940
of scripts against a target.

56
00:04:35,250 --> 00:04:39,630
There is a number of default scripts that in MAP will run against the target.

57
00:04:40,290 --> 00:04:46,800
Now the dash small letter s capital S. That is the typical TCP IP scan.

58
00:04:47,160 --> 00:04:54,690
That and map runs the dash capital O is version checking on the target.

59
00:04:55,350 --> 00:05:03,090
Now interestingly enough, I can actually do an aggressive scan and to do that all I have to do is just

60
00:05:03,090 --> 00:05:04,360
get rid of all these.

61
00:05:05,220 --> 00:05:06,630
Let's take a look at that real quick.

62
00:05:07,170 --> 00:05:12,270
If I get rid of all these switches here and I type in just capital A.

63
00:05:13,230 --> 00:05:14,400
I get the same thing.

64
00:05:14,880 --> 00:05:16,020
Let's see how that works.

65
00:05:17,130 --> 00:05:24,220
Now, if you get this error message about a DNS server not being available, don't sweat it, just ignore

66
00:05:24,220 --> 00:05:24,450
it.

67
00:05:24,480 --> 00:05:29,010
We don't have a DNS server needed because we are in the local area network.

68
00:05:30,010 --> 00:05:38,800
So using the switch dash capital A with within map gets the same results as using the dash small letter

69
00:05:38,800 --> 00:05:45,910
s capital C, the small letter S capital s dash capital O.

70
00:05:46,270 --> 00:05:53,290
The results are exactly the same, but for testing purposes such as a certification exam, you would

71
00:05:53,290 --> 00:05:59,830
want to know all of these different switches and what they actually do when you're running in Matt.

72
00:06:00,670 --> 00:06:07,140
And so our unmap results are in and it tells us that the falling port numbers twenty to fifty three

73
00:06:07,150 --> 00:06:12,970
eighty one ten one thirty nine, one forty three and part four, four or five are open and running the

74
00:06:12,970 --> 00:06:19,870
following services, S.H., DNS, HTP, Pop, three net bios and IMAP.

75
00:06:21,080 --> 00:06:25,640
And you can scroll up and down here and you can see all the different information about the scripts

76
00:06:25,640 --> 00:06:26,930
that were written as well.

77
00:06:27,560 --> 00:06:34,100
And down here, closer to the bottom, you'll see that we also have some information about the version

78
00:06:34,250 --> 00:06:36,310
of lining's that is running on the target.

79
00:06:37,190 --> 00:06:41,210
We get some information about the colonel, we get some details.

80
00:06:41,720 --> 00:06:46,760
And, of course, we got the traceroute results, which tells us that the target is just one hop away.

81
00:06:47,800 --> 00:06:51,940
Let's go ahead and minimize our terminal and let's bring up a browser.

82
00:06:56,060 --> 00:07:03,590
So we know that we have HTP running on our target machine and is running an Apache Web service, so

83
00:07:03,590 --> 00:07:06,470
let's take a look at the Web page now.

84
00:07:06,480 --> 00:07:09,820
I consider this the low hanging fruit when it comes to testing.

85
00:07:10,310 --> 00:07:11,720
This is the easy stuff.

86
00:07:12,140 --> 00:07:18,500
And this is where we can usually find some type of comment, we can find some type of code, and that

87
00:07:18,500 --> 00:07:22,310
would be located up inside of the source for that Web page.

88
00:07:22,610 --> 00:07:24,080
Let's take a look at how we do that.

89
00:07:24,560 --> 00:07:29,690
So I'm going to open up a browser and in the address bar, I'm just going to type in the IP address

90
00:07:29,690 --> 00:07:32,960
of the target machine that is running a Web service.

91
00:07:34,240 --> 00:07:39,520
And it comes up with a default page for Apache, and if we scroll down here just a little bit, we get

92
00:07:39,520 --> 00:07:44,110
our first clue and it says, you can find me at a directory.

93
00:07:45,140 --> 00:07:48,650
Located on this machine called WordPress, I'm vulnerable.

94
00:07:49,640 --> 00:07:53,020
Webapp, OK, that's a pretty good clue.

95
00:07:54,300 --> 00:08:00,270
Now, you can also right click and you can view this selection source and see if anything else is going

96
00:08:00,270 --> 00:08:06,120
on in here, and I don't see nothing else except that little bit of a message we were just given about

97
00:08:06,120 --> 00:08:07,380
something being vulnerable.

98
00:08:08,130 --> 00:08:09,050
Close that out.

99
00:08:10,280 --> 00:08:14,180
So we can minimize our Web browser, send it up to the task bar.

100
00:08:15,570 --> 00:08:23,490
So to confirm that there actually is a directory called WordPress on the Apache server, we can use

101
00:08:23,490 --> 00:08:25,320
another application called Derp.

102
00:08:25,890 --> 00:08:28,090
Derp is a Web content scanner.

103
00:08:28,200 --> 00:08:31,350
It looks for existing and or hidden Web objects.

104
00:08:31,950 --> 00:08:38,160
Derp works by launching a dictionary based attack against a Web server and analysing the responses.

105
00:08:39,200 --> 00:08:41,060
Let's go ahead and open up a fresh terminal.

106
00:08:41,990 --> 00:08:47,750
Dirt comes preinstalled with your Calli installation, so at the pump, all I have to do is just type

107
00:08:47,750 --> 00:08:56,620
in derp space and the you are RL for that target machine and that's going to be HTP calling, for example,

108
00:08:56,620 --> 00:08:58,160
or the IP address.

109
00:08:58,890 --> 00:09:00,110
I'm going to go ahead and hit enter.

110
00:09:01,200 --> 00:09:07,950
Dirt comes back right away and it tells us that there actually is a directory located on that Web server

111
00:09:07,950 --> 00:09:10,710
called WordPress and we can see the results right here.

112
00:09:11,870 --> 00:09:17,510
Now, we know that this is also going to be a WordPress site because we can see the contents down here

113
00:09:17,780 --> 00:09:23,980
that tell us that all of these default directories belong to a WordPress application.

114
00:09:25,550 --> 00:09:29,960
Let's go ahead and minimize this terminal as well, and let's open up a new terminal.

115
00:09:30,930 --> 00:09:36,570
Now, another tool that comes preinstalled with your installation of Calli, the WP scanned WP stands

116
00:09:36,570 --> 00:09:37,990
for WordPress.

117
00:09:38,610 --> 00:09:46,530
So we're going to scan that WordPress installation onto the Web server and we're going to find hopefully

118
00:09:46,530 --> 00:09:50,170
a user name and then we're going to look for a password.

119
00:09:50,850 --> 00:09:53,120
So let's look at what I've typed in here.

120
00:09:53,130 --> 00:10:02,780
I typed in scan space, dash dash u rl space the you are L and the directory we want to look in.

121
00:10:03,510 --> 00:10:11,220
So I've typed in http calling for slide four one nine two one six eight dot five six one zero three

122
00:10:11,220 --> 00:10:12,630
four slash WordPress.

123
00:10:13,020 --> 00:10:15,180
That is the directory for WordPress.

124
00:10:15,420 --> 00:10:27,060
And then another four give it a space, a dash E and a space a t dash e space a p dash e.

125
00:10:28,400 --> 00:10:31,550
Capital, you let's go ahead and run this.

126
00:10:33,140 --> 00:10:38,960
Now, the first time that you run WP scan on Calli, it's going to want to go out to the Internet and

127
00:10:38,960 --> 00:10:41,920
pull down any updates that it has for the application.

128
00:10:42,380 --> 00:10:45,230
So you're going to want to go up inside of your networking.

129
00:10:46,810 --> 00:10:52,510
And you're going to want to change on your calling machine, only the adapter from host only adapter

130
00:10:52,510 --> 00:10:56,770
to that network, you're going to rerun the command.

131
00:10:56,920 --> 00:10:59,170
It'll update when it's done updating.

132
00:10:59,170 --> 00:11:05,130
You come back in to the networking settings for just your call and you're going to change it back to

133
00:11:05,140 --> 00:11:06,970
host only adapter.

134
00:11:07,780 --> 00:11:12,310
You're then going to run that command one more time and you will get these results.

135
00:11:12,670 --> 00:11:16,120
So the user we have identified is called corrupted brain.

136
00:11:17,110 --> 00:11:22,430
And now we're going to look for a password for this user called corrupted brain.

137
00:11:22,900 --> 00:11:24,700
Let's go ahead and minimize this terminal.

138
00:11:26,130 --> 00:11:32,820
Now, before we can brute force a password using WP scan against a user called Corruptor Brain, we

139
00:11:32,820 --> 00:11:33,690
need a wordlist.

140
00:11:34,050 --> 00:11:36,150
Now let's look where these wordlist are located.

141
00:11:36,600 --> 00:11:39,840
So back on my Caleigh desktop, I'm going to open up my file system.

142
00:11:40,530 --> 00:11:43,230
I'm going to scroll on down here till I come to UCR.

143
00:11:44,370 --> 00:11:51,320
Open up that directory on the next window pane to the right, I'm going to open up that share directory

144
00:11:52,050 --> 00:11:52,260
now.

145
00:11:52,260 --> 00:11:57,210
I'm going to scroll all the way down to the WS and I'm going to look for Wordlist.

146
00:11:58,640 --> 00:11:59,450
And there it is.

147
00:11:59,630 --> 00:12:07,490
Let's open it up now, the word is that we want to use is the Roku text, but you won't have the Roku

148
00:12:07,730 --> 00:12:12,410
text by default because it's in an archive because it's rather large.

149
00:12:12,950 --> 00:12:16,850
So what you're going to want to do is when you get in here for the first time is right.

150
00:12:16,850 --> 00:12:25,730
Click on the archive for the RockYou text and you're going to select extract here that is going to give

151
00:12:25,730 --> 00:12:31,370
you the text file for the Iraq you dot text wordlist.

152
00:12:32,330 --> 00:12:37,790
It's going to close it out, it's going to bring back up our last terminal, and what we're going to

153
00:12:37,790 --> 00:12:39,320
do here is just go ahead and clear it.

154
00:12:40,820 --> 00:12:47,150
So, again, we're going to do a brute force against that user up inside of that WordPress site called

155
00:12:47,270 --> 00:12:50,160
Corrupted Brain using WP scan.

156
00:12:50,540 --> 00:12:58,010
So again, I've typed in the command scan space dash, dash your URL, that same URL that we had before

157
00:12:58,430 --> 00:13:05,240
going up inside of that WordPress directory, giving it a dash u, which stands for user and the name

158
00:13:05,240 --> 00:13:07,490
of this user is corrupted brain.

159
00:13:08,100 --> 00:13:09,830
Give it a space dash.

160
00:13:09,830 --> 00:13:12,920
Capital P stands for password.

161
00:13:13,910 --> 00:13:20,360
Now I'm going to have to give it the path that I wanted to use to find that RockYou text.

162
00:13:21,050 --> 00:13:28,960
So it's the same path that we used to go find or look at the rock you dot text forward slash USAR forecast

163
00:13:29,000 --> 00:13:34,620
share four slash wordlist and finally for RockYou text.

164
00:13:35,060 --> 00:13:41,400
Now this is a very particular command, so make sure that these switches are at the right color.

165
00:13:41,420 --> 00:13:45,340
Now when you copy and paste, it's the first time they might not be in color.

166
00:13:45,350 --> 00:13:48,140
They could just be the same default text of white.

167
00:13:48,530 --> 00:13:54,100
That means that the switches are not being read or understood correctly by the back shell.

168
00:13:54,530 --> 00:13:58,060
So make sure that this happens because this is a very particular command.

169
00:13:58,700 --> 00:14:02,260
Hopefully this is going to work one time and we don't have to troubleshoot it.

170
00:14:02,270 --> 00:14:04,670
Let's go ahead and give it a go hit enter.

171
00:14:06,720 --> 00:14:13,140
And you'll notice down at the bottom, it begins the scanning of the word list for the password for

172
00:14:13,140 --> 00:14:15,030
our user corrupted brain.

173
00:14:16,440 --> 00:14:24,510
And so our scan completed in three minutes and 15 seconds, it found a valid combination for the username

174
00:14:25,290 --> 00:14:31,720
corrupted, underscoring what they password up to four nine nine two four nine nine.

175
00:14:32,400 --> 00:14:36,720
We're now going to use a well known exploit that's available to us up inside of medicine.

176
00:14:37,530 --> 00:14:43,020
This is going to allow us to establish a reverse shell, which is something every pan tester wants to

177
00:14:43,020 --> 00:14:43,380
do.

178
00:14:44,130 --> 00:14:51,920
We're going to get access as limited as it is to the target machine using a terminal.

179
00:14:53,220 --> 00:14:55,130
And so that's going to conclude this.

180
00:14:55,140 --> 00:15:01,200
First, two parts of the Hackers Methodology Network, STANNING and Enumeration.

181
00:15:01,500 --> 00:15:08,010
And we're going to continue on in the second video with doing the exploitation and privilege escalation

182
00:15:08,010 --> 00:15:08,580
steps.

183
00:15:08,970 --> 00:15:12,510
So I'll see you in the next video, part two.